Cyber Incident Victim: GoDaddy
Date:
Nov 2021
Location:
United States of America
Summary
A leading web hosting provider experienced a multi-year security breach affecting its cPanel shared hosting environment, where attackers stole source code, installed malware, and redirected customer website traffic to malicious domains. The incident, linked to prior compromises of WordPress and SSH credentials, exposed sensitive customer data including email addresses, admin passwords, sFTP and database credentials, and SSL private keys. The company collaborated with global law enforcement and forensic experts, attributing the attack to a sophisticated organized group targeting hosting services to distribute malware and conduct phishing campaigns. Remediation efforts included removing the malware and implementing enhanced security measures while gathering threat intelligence to support ongoing investigations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early December 2022, GoDaddy began receiving customer complaints regarding intermittent website redirects affecting seemingly random sites hosted on its cPanel shared hosting servers. Investigations revealed an unauthorized third party had installed malware on these servers, causing the redirects to unknown domains. The company confirmed this was part of a multi-year intrusion campaign by a sophisticated, organized group targeting hosting services. Forensic evidence and law enforcement corroborated that the attackers aimed to infect infrastructure for malicious activities like phishing and malware distribution. This incident was linked to prior breaches disclosed in November 2021 and March 2020, indicating prolonged network access. The November 2021 breach involved compromised WordPress hosting credentials via a stolen password, exposing email addresses, WordPress admin passwords, sFTP credentials, database credentials, and SSL private keys for approximately 1.2 million Managed WordPress users. An earlier October 2019 breach, detected in March 2020, allowed attackers to access 28,000 customer web hosting accounts using stolen SSH credentials.
GoDaddy responded by remediating infected systems, implementing additional security measures, and collaborating with global law enforcement agencies and external cybersecurity forensics experts. The company publicly acknowledged the criminal organization’s focus on hosting providers and committed to monitoring their activities while gathering evidence on their tactics. Customer notifications were issued for each breach, alongside apologies for service disruptions. In its December 2022 10-K filing, GoDaddy formalized details of the cPanel compromise and reiterated efforts to enhance system security using insights from the incidents. The cumulative impact included unauthorized data access, prolonged attacker presence across multiple environments, and operational disruptions affecting customer websites through redirects and credential exposure. No specific customer financial losses or broader internet disruptions were detailed in the provided disclosures.